Re: Mac OS X shellcode and SIGTRAP

David,

The SIGTRAP you get is to notify the debugger that a new process was started, so you can usually safely continue through it.

You are having a problem because you inserted your stuff before the
'bnel' instruction. The xor./bnel combo is what actually moves the pc
into the lr register. Without that, the value in r31 that you use is bogus. So when you run it from the command line, you are getting a segfault because you are trying to write to an illegal address. Somehow, when you run it in GDB, the value that just happens to be r31 at the time does not cause an illegal access in the 'stbx' instruction.   If you move the 'bnel' back up to after the 'xor.', you will have a valid value you can use in there.

Also, don't bother fixing up the 'sc' instruction. The unused bits in it are ignored, so there is no need to set them back to nulls. It also does no good right now because the data cache and instruction cache on the PowerPC are separate. So the processor is executing the unmodified
'sc' instruction from the cache, not the one that you modified (which
will be stored in the data cache and written through to main memory). You will need to put in an 'icbi' instruction to invalidate the instruction cache block that contains the 'sc' instruction for the processor to execute the modified instruction. But, that is a pain, and unnecessary, so just don't bother.

Best of luck and have fun with my shellcode,

-Dino

--
          Dino Dai Zovi / ddz@theta44.org / www.theta44.org
       "Bein' Crazy is the least of my worries." - Jack Kerouac
          C439 2B06 D8D2 A2D8 1ABB  0A55 A61D 9057 63F5 9B1F